Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] ISS not detecting unicode bug??
From: Mark Curphey <mark () CURPHEY COM>
Date: Thu, 16 Nov 2000 23:07:48 -0500

Agreed about Nessus. Its an awesome example of the speed and power of open
source development.

Another interesting advantage of going the open source security route is
that you could easily work out how and what the check was trying to do and
decide for yourself if it was a false positive. If it was only checking for
/scripts as someone suggested, you could easily modify it as well, improve
the check and share that back to the community so we could all benefit.
----- Original Message -----
From: "Alfred Huger" <ah () SECURITYFOCUS COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Thursday, November 16, 2000 10:25 PM
Subject: Re: [PEN-TEST] ISS not detecting unicode bug??


On Thu, 16 Nov 2000, Eric Budke wrote:

There was some discussion a year or two ago on another list with the
guys
from ISS and NAI (and some others) going back and forth about how they
actually test, the merits of basing it only off of a banner vs. going
through with the actual penetration (especially in how it applies to DOS
testing). Both ways have their merits, but neither tool is flawless.

Wow, that brings back memories, the discussion was actually about 2 1/2
years ago and if I remember correctly it got a bit ugly.

The SNI/Ballista position was that checks should be more than a banner
grab and should actually (to a degree) exploit the problem to bring back
'proof positive'.

After being out of the business (of building scanners) for a while I still
actually feel the same way. Banner grabs to infer vulnerabilities are
sometimes required but they are not a good way to write the product.
However, in cases where you have (non) inetd driven services or other
services which will choke and not restart you have need other methods to
check. That is of course over simplifying it quite a bit, but that's a
microcosm of the issue.

Scanners are of course a poor alternative to hand testing for the most
part but like most of us agree, are usefull for lare scale engagement and
quick problem spotting.

If I were forced to buy a scanner today I would save my money and go with
Nessus. But of course, that is just me :>


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]